The California Privacy Protection Agency (CPPA) Board met on November 8th and voted to adopt new regulations for data broker registration requirements. Under current requirements, data brokers are required to register with the CPPA annually, pay a registration fee of $400, provide details of their data collection practices and make certain disclosures regarding their deletion request metrics. The new regulations expanded the definition of a “data broker”, clarified registration requirements and added instructions to correct erroneous registrations.
When do the amendments apply?
The proposed amendments must be filed with the Office of Administrative Law for review and approval. If approved, the regulations will become effective by January 1, 2025.
To whom do the amendments apply?
Under the current law, a data broker is defined as a business that collects and sells data of consumers that they do not have a direct relationship with.[1] The new regulations make clear that a business does not establish a direct relationship with a consumer merely because the consumer contacts the business to exercise a privacy right enumerated under the CPPA.[2] Further, the new regulations state that a business is still considered a data broker if it has a direct relationship with a consumer but also sells personal information about the consumer that the business did not collect directly from the consumer.[3]
What changes are there to data broker obligations?
Data brokers are still required to register with the CPPA during the registration period of January 1 through January 31st. The newly approved regulations require the data broker to provide functioning website links and email addresses as part of their registration, use the business trade name with a point of contact and provide contact information.[4]
In their registration, data brokers must provide whether and to what extent they are regulated by the following laws:
- Fair Credit Reporting Act
- Gramm-Leach Bliley Act
- Insurance Information and Privacy Protection Act
- Confidentiality of Medical Information Act.[5]
The new amendments require the data broker to describe what personal information the data broker collects and sells, the specific products and the approximate proportion of data collected and sold that is subject to the above laws.[6]
Lastly, the new regulations provide instructions for data brokers to correct erroneous registrations including a change in name, email or phone number, public facing contact information, or public facing website addresses.[7]
What are the consequences of noncompliance?
The administrative fines of the data broker registration regulations are still active. If a data broker fails to register in California, they can face fines up to $200 per day for each day they remain unregistered.[8]
Takeaways
- Consider and evaluate whether your organization, in whole or in part, falls under the broader definition of a data broker.
- Prepare the required information for registration for January 2025.
- If regulated by the enumerated regulations, prepare the newly required information for registration for January 2025.
- Register with the Agency by January 31st, 2025.